December 2017

December 21, 2017

Jim Calloway and I are pleased to announce that our Tech Toys for the Holidays Legal Talk Network podcast is out. There is always a mix of offerings from the practical to the silly/sublime. From doorbells to submarines (yes you can own your own), from smart watches to smart toilets (could I make that up?), we have something for everyone.

Jim and I always have fun recording this one – and we are grateful for the feedback of our listeners telling us they enjoy the annual tech toys podcast as well.

December 20, 2017

As Reutersreported on December 18th, Moscow-based security software maker Kaspersky Lab has asked a U.S. federal court to overturn a Trump administration ban on use of its products in government networks, alleging the move deprived the company of due process.

The Department of Homeland Security (DHS) in September issued a directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days because of concern among U.S. officials that the software could enable Russian espionage and threaten national security.

The appeal is part of an ongoing campaign by Kaspersky to refute allegations the company is vulnerable to Kremlin influence. The company has repeatedly denied it has ties to any government and said it would not help a government with cyber espionage.

"DHS has harmed Kaspersky Lab's reputation and its commercial operations without any evidence of wrongdoing by the company," the company's founder, Eugene Kaspersky, said in an open letter to the Homeland Security agency published Monday.

The lawsuit alleges that the government largely relied on uncorroborated news media reports as evidence in a review of Kaspersky software. It asks the court to overturn the ban and also declare that the Russian company's products do not pose a security threat to U.S. government computers.

The value of Kaspersky's software sales to the U.S. government totaled less than $54,000, or about 0.03 percent of its U.S. subsidiary's sales in the United States, according to the complaint. Actually, that small figure surprised me.

Still, the allegations have hurt Kaspersky's much bigger consumer software business, prompting retailers such as Best Buy Co to pull Kaspersky products.

Kaspersky said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials have said that step, while welcome, would not be sufficient.

If there is real evidence of any collusion, I would be surprised. But I am always prepared to eat crow pie.

December 19, 2017

As recently reported in Wired, over 40 percent of e-mails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools.

Tracking clients embed a line of code in the body of an email—usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates. Major tech companies like Facebook and Twitter followed suit in their ongoing goal to profile and predict our behavior online.

Lately, a growing number of tracked e-mails are being sent not from corporations, but people you know. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there."

According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the e-mails you get from your friends. And you probably never noticed. I sure as heck never did.

"I do not know of a single established sales team in [the online sales industry] that does not use some form of email open tracking," says John-Henry Scherck, a content marketing pro and the principal consultant at Growth Plays. "I think it will be a matter of time before either everyone uses them," Scherck says, "or major email providers block them entirely."

Both Amazon and Facebook use e-mail trackers a lot. When Facebook sends you an e-mail notifying you about new activity on your account, it opens an app in background, and now Facebook knows where you are, the device you're using, the last picture you've taken—they get everything.

Both Amazon and Facebook "deeplink all of the clickable links within the e-mail to trigger actions on their app running on your device," Seroussi says. "Depending on permissions set by the user, Facebook will have access to almost everything from Camera Roll, location, and many other logs that are hidden. But even if a user has disabled location permission on his device, e-mail tracking will bypass this restriction and still provide Facebook with the user's location."

"Look, everybody opens e-mails, even if they don't respond to them," Seroussi says. "If you can learn where a celebrity is—or anyone—just by emailing them, it's a security threat." It could be used as a tool for stalkers, harassers, even thieves who might be sending you spam e-mails just to see if you're home.

"During the 2016 election, we sent a tracked e-mail out to the US senators, and the people running for the presidency," Seroussi says. "We wanted to know, were they doing anything about tracking? Obviously, the answer was no. We typically got the location of their devices, the IP addresses; you could pinpoint almost exactly where they were, which hotels they were staying at."

There's one more reason to be wary: E-mail tracking is evolving. Research from October looked at e-mails from newsletter and mailing list services from the 14,000 most popular websites on the web, and found that 85 percent contained trackers—and 30 percent leak your email addresses to outside corporations, without your consent.

"You can have tens of parties receive your email address," says Steven Englehardt, one of the computer scientists behind the study. "Your email hash is really your identity, right? If you go to a store, make a purchase or sign up for something—everything we do today is associated with your email." Data brokers have long stockpiled information on consumers through web tracking: browsing habits, personal bios, and location data. But adding an e-mail address into the mix, Englehardt says, is even more reason for alarm.

"This kind of tracking creates a big dataset. If a dataset leaks with email hashes, then it'd be trivial for anyone to go see that person's data, and people would have no idea that data even existed," he says. "You can compare it to the Experian data leak, which exposed people's social security numbers, and could cause fraud. In my mind, this leak would be even worse. Because it's not just financial fraud, but intimate details of people's lives."

A host of anti-tracking services have sprung up to combat the rising tide of inbox tracers—from Ugly Mail, to PixelBlock, to Senders. Ugly Mail notifies you when an email is carrying a tracking pixel, and PixelBlock prevents it from opening. Senders makes use of a similar product formerly known as Trackbuster, as part of service that displays info (Twitter, LinkedIn account, etc.) about the sender of the e-mail you're reading.

Even those methods aren't foolproof. Tracking methods are always evolving and finding ways around the current crop of track-blockers. "It's a fight we're having over the last couple of years," Seroussi says. "They can't counter all the methods that we know—so they get around the block by setting up new infrastructures. It's a chase, they're doing a job."

To prevent third-parties from leaking your e-mail, meanwhile, Princeton's Englehart says "the only surefire solution right now is to block images by default." That is, turn on image-blocking in your email client, so you can't receive any images at all.

OMC has found dozens of novel methods that newfangled trackers are using to get your e-mail open info. "We found 70 different ways where they use tracking," Seroussi says, "Sometimes it's a color, sometimes it's a font, sometimes it's a pixel, and sometimes it's a link."

Scary stuff. Seems to me that Congressional action is needed, but then again, that may be (and usually is) wishful thinking.

December 18, 2017

Who cares what the public wants? Not the FCC. In spite of the fact that 83% of Americans favor net neutrality, as The Washington Postreported last week, the FCC voted on December 14th to speed up service for websites they favor — and block or slow down others — in a decision repealing Obama-era regulations overseeing broadband companies such as AT&T and Verizon.

The 3-2 vote, which was along party lines, enabled the FCC's controversial Republican chairman, Ajit Pai, to follow through on his promise to repeal the government's 2015 net neutrality rules, which required Internet providers to treat all websites, large and small, equally. The agency also rejected some of its own authority over the broadband industry in an effort to stop future FCC officials who might seek to reverse the ruling.

Consumers might not feel the effects of this decision immediately. But eventually they could start to see packages and pricing that would steer them toward some content over others, critics of the FCC's vote argued.

For example, under the Obama-era rules, Verizon was not allowed to favor Yahoo and AOL, which it owns, by blocking Google or charging the search giant extra fees to connect to customers. Under the new rules, that type of behavior would be legal, as long as Verizon disclosed it.

A number of state attorneys general have said that they intend to file lawsuits to stop the FCC's reversal of net neutrality.

FCC Commissioner Jessica Rosenworcel, a Democrat, challenged the public feedback process that led to the decision, alleging major irregularities in the record. Two million comments filed to the FCC on net neutrality were submitted under stolen identities, she said. Half a million came from Russian addresses, and 50,000 net neutrality complaints have gone "inexplicably missing."

So don't look for immediate changes – litigation will tie things up for a while and, I hope, ultimately restore net neutrality.

December 14, 2017

On Tuesday, President Trump signed a law that bans the use of Kaspersky Lab software within the U.S. government, amid concerns it is vulnerable to Kremlin influence.

According to a story from Reuters, the ban, included as part of a broader defense policy spending bill that Trump signed, reinforces a directive issued by the Trump administration in September that civilian agencies remove Kaspersky Lab software within 90 days. The law applies to both civilian and military networks.

"The case against Kaspersky is well-documented and deeply concerning. This law is long overdue," said Democratic Senator Jeanne Shaheen, who led calls in Congress to scrub the software from government computers. She added that the company's software represented a "grave risk" to U.S. national security.

Kaspersky Lab has repeatedly denied that it has ties to any government and said it would not help a government with cyber espionage. To address suspicions, the company said in October it would submit the source code of its software and future updates for inspection by independent parties. U.S. official have said that while they welcome that step, it does not suffice to allay their concerns.

Kaspersky Lab said it continued to have "serious concerns" about the law "due to its geographic-specific approach to cybersecurity." It also said that it is assessing its options and will continue to "protect its customers from cyber threats (while) collaborating globally with the IT security community to fight cybercrime."

I remain skeptical of the attacks against Kaspersky, which has, for many years, been highly regarded as one of the leading companies protecting against cyber threats, consistently on the cutting edge of discovering new threats and protecting against them. It may be that Kaspersky is simply a victim of political optics.

December 13, 2017

In the wake of many high profile data breaches, we may have been oblivious to the potentially greater danger posed by a different kind of hack. As LA Progressive discussed in a recent article, imagine that a major food company gets hacked. But this time, instead of leaking the company's proprietary information or encrypting its systems with ransomware, the hackers manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make people sick, despite appearing within their use-by date. Figures are changed slightly on pending invoices to vendors, altering the company's balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product now looks like it is passing regulation tests.

Would the company notice such changes happen? How could its investors accurately assess the company's value when all of its financials might be based on faulty information? How might its customers and suppliers respond? With lawsuits?

The example above is bad enough but apply the same scenario to banks, medical institutions, and government organizations – it is even more frightening.

How do we detect and stop data manipulation? We need to design systems that are carefully watching for manipulation. Hard or offline backups are essential, and data holders should develop systems to regularly compare live versions of their data to their backups. (According to Osterman Research, most companies don't do this continuously, and some don't do it at all.)

The article suggests there is a small silver lining: One of the easiest ways for organizations to defend against hackers is to beat them at their own game. When infiltrators can't tell what data is real, they won't know what actually might be of value. Emmanuel Macron's French presidential campaign, for instance, reportedly fooled hackers with fake data, which limited the effectiveness of campaign hacks as a result.

I read that with some trepidation. This seems to me to be a double-edged sword. We're having enough trouble identifying fake news without deliberating making more fake news up! If we start making up fake data, we may be compounding a problem rather than solving it.

December 12, 2017

Not everyone thinks so. It was voted out of one reporter's house (after two weeks) in a Washington Poststory last week. It's a good, fun read that will make you think.

And if you are still persuaded that you want it, check out The Store by James Patterson (and a co-author). The book, which I read with fascination in Hawaii last week, is a thinly disguised story about Amazon, which has a heck of lot of power over us today – and knows way too much about us. It has gotten downright creepy. The novel takes that concept much farther, spinning it into a futuristic nightmare of control. While the book does not constitute great literature, it sure made me think carefully about how much I wanted to embrace Amazon in technology which would run my house.

Oh, and by the way, the Amazon Key has already been hacked. There was a fix (sort of), but I think I am keeping control of my house out of Amazon's hands.

December 11, 2017

Sadly, when one goes to Hawaii, one must ultimately come home. And of course, catching up on the news is a priority, though I bemoan the loss of poolside afternoons and Waikiki Freezes. Back to the job at hand.

On December 5th, NIST published the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.

Public comments for the latest draft of Cybersecurity Framework version 1.1 and the draft Roadmap are due to NIST by Friday, January 19, 2018 via cyberframework@nist.gov. NIST anticipates finalizing Cybersecurity Framework version 1.1 in Spring 2018.

There's a helpful Fact Sheet worth reviewing for the highlights of the new draft.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.